Qualifier Challenge - NRFIN_00024


Original Versions

Known Vulnerabilities

  • CWE-122 - Heap-based Buffer Overflow
  • CWE-193 - Off-by-one Error
  • CWE-416 - Use After Free
  • CWE-825 - Expired Pointer Dereference
  • CWEs are listed as indicated by the challenge author.

Scores

  • ForAllSecure: 2.33
  • CodeJitsu: 1.99
  • CSDS: 1.65
  • TrailofBits: 0.61
  • Disekt: 0.19
  • DeepRed: 0.11
  • TECHx: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • Disekt - CB1
  • Shellphish - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • TECHx: 100.0% - CB1
  • Shellphish: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 66.7% - CB1
  • ForAllSecure: 33.3% - CB1
  • DeepRed: 33.3% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"Ben Schmidt" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)

Description

Tired of being limited to 160 characters? Want to send large, binary messages over current cellular networks? LMS (Long Message Service) is our proprietary alteranative to SMS, that allows for longer messages and more efficient transfer of your messages. This is an alpha implementation of a reference client for this excellent new protocol.

Feature List

LMS supports raw message sizes of 256 bytes, and can use up 2**16 fragments, and supports a number of different base encodings. This client will process a series of LMS fragments and decode the message.

Vulnerability

Two seperate dangling pointer vulnerabilities exists in the delete_session function, leading to a use after free situation in later packet processing. By adding two or more sessions, causing the first to complete, then forcing an appropriately sized allocation to occupy the same memory, it is possible trigger this condition and cause a segfault.

Additionally, an off-by-one vulnerability exists in add_msg that allows an OOB write of a 1, one byte outside the bounds of the sess->received array.

Generic class of vulnerability

Use-after-free Heap overflow

CWE classification

CWE-122: Heap-based buffer overflow CWE-193: Off-by-one error CWE-416: Use After Free CWE-825: Expired Pointer Dereference

Challenges

Creating multiple sessions from a capture of a single session. This requires reasoning about bitfields and using control over them to create new sessions, as well as crafting well-formed new sessions that parse correctly.

Autonomously discovering UAF/dangling pointer vulnerabilities in a CB utilizing a custom allocator is quite difficult; we anticipate this to be a significant barrier to competitors.

Manipulating allocations in such a way as to overwrite the freed memory is necessary to actually prove vulnerability. Once the vulnerability is discovered, however, this will likely be relatively easy by design.

Correctly patching the vulnerability by removing the dangling pointer, as well as restoring the integrity of the linked list, will likely prove very challenging.


Curated by Lunge Technology, LLC. Questions or comments? Send us email